Getting Ready for a Pen Test: Step 2
July 22, 2014
In the first blog post of our three-part pen test series, we discussed the five common ways an attacker can gain access to your corporate network that you should address immediately before bringing in a pen tester. The next critical step focuses on asset identification and network segmentation.
During this process, it’s important to take inventory of what systems are on your network and what critical information is being stored on those systems. There are a number of automated tools which can help you keep track of the systems on your network; however, in our experience there is no effective automated way to catalogue and prioritize data. This needs to be done by all of the relevant stakeholders in each of the different business units of the organization. If you don’t understand what you need to protect, how can you properly protect it? As part of this, be sure to develop a hierarchy of the information so you know what your organization considers its “crowned jewels.” What data would be most detrimental to your business if an attacker were to obtain it? Some examples include intellectual property, your clients’ personal information, or your business’ financial data. In a nutshell, you need to define what it is that your company uses to make money and protect those assets.
After you’ve identified what assets and information are actually on your network, it’s time to segment that information to make sure an attacker has limited access if they actually do break through your perimeter. Unfortunately, many organizations have no clear communication separation between endpoints at any of the locations. As pen testers, we like to call this the “castle wall effect.” This means almost any system can be accessed from anywhere else in the environment once the outside perimeter is breached, exposing the soft unsecured underbelly of the internal network. Adjacent systems can be targeted to gain deeper access in the network if controls are not in place to isolate high-risk systems. The result can mean an attacker could easily obtain access to your server environment from the user workstation network which is a high risk target for phishing attacks.
When developing a network segmentation plan, it’s important to understand how your organization does business and who should have access to what information using the principle of least privilege, which gives employees the lowest level of user rights that they can have and still do their jobs. Also, your segmentation plan should isolate the following groups using firewall ACLs at a minimum:
- Corporate resources – AD, Exchange, NAS, etc.
- Endpoints (local and remote)
- IT segment (access to management network)
- Management traffic
Finally, be sure technical controls are put in place to prevent and detect malicious activities (AV/IDS/IPS/SEIM, etc.). Although these technologies are by no means fool proof, they can aid in detecting less advanced attacks and cut down on network noise giving you the ability to focus on detecting the more legitimate attackers that may be targeting your organization specifically. One example for a rule we always recommend is looking for a legitimate user or service account logging into multiple machines in a short amount of time. This is indicative of someone using a compromised account and rapidly harvesting passwords from a number of machines and would rarely happen in day to day operations.
When it comes to technical controls, we recommend that following:
- Use outbound egress filtering with deep packet inspection. If the attacker or malware can’t phone home, it can make exfiltration of data extremely difficult.
- Ensure a proper process and the right personnel are in place for escalation when attacks are detected. This is one of the most important things the pen tester will test.
- Understand the business units in your organization and what resources they need to access and use that as a baseline for creating ACL’s and groups within Active Directory. Spend the extra time, money and resources to ensure devices are configured properly.
- Beware of vendors with all in products that claim to fix all your problems. There is no such solution.
After you’ve completed the process of segmenting your network, you can move onto the third step in preparing for a pen test: understanding how to know if the test you’re getting is legit. We will discuss what you need to know in the final post in this series so you can schedule that pen test as soon as possible.